Best practise for "DMZ" web server behind ASUS router

[fozters]

Hi,

I have rt-ac66u running merlin 374.40 (atleast at this point).

I have a web server which I would like to somehow isolate from other lan devices. (This web server is inside esxi so just saying if there is some esxi possible routing to achieve lan separation as an option if there is no any other way of accomplishing what I want )..

What would be the best practise to achieve this as I think this would be safer on the security side?

I haven't yet tried any configurations myself because after a little bit of researching I discovered that the virtual DMZ option seems not to be the DMZ option what I though it was. It seems to just forward all the packets from web to this ip (inside the same lan). As of what I understand an read about this machine would still be able to access all the devices in same lan.

Would some port forwarding rules be possible or wise to accomplish what I want?
Something like set virtual port server / port forwarding one port to web server ip address and set some port forwarding or firewall rules to limit all the access from web server to other lan devices??

So I would like that I could connect from this web-server to internet to get updates. I would like to be able to connect from lan to this server so I can change config (not necessary because I still would have esxi console access).
I would like this web-server to not to have any access to the machines on the same lan it is connected to..

I do not have any experience on this area

 

[RMerlin]

LAN traffic is switched, not routed, so the only way to isolate that web server would have to be configured on the server itself.

 

[fozters]

Thanks Merlin for your input.

Okay so yes, to be clear I only have one modem (bridged and only 1 wan/ 1 lan port) -> asus rt-ac66u (dhcp, lan) -> hosts connection, so physical separation, ie. 2 routers/switches is not possible.
I'd would prefer, if there would be some other way to separate/isolate this web server from the same subnet machines.

I have currently just forwarded the https port to the web server, which probably would be enough as long as I keep software update regularly.

But if there is some way to harden this web servers local network access (via software approach). Either from asus box, esxi or OS (linux) via some iptables, then I would like to use it.

I'm really not familiar this area and because of the lack of real hw stuff (home stuff), I'm really not sure which directions I should proceed to. If there even is any wise way.. So heads up for the right direction would be appreciated, thanks

 

[RMerlin]

You might have to go down the Vlan route then. That will require custom firmware, and manual configuration of your VLANs.

 

[stevech]

VLAN or separate ISP service.

 

[fozters]

Thanks guys for your inputs!

 

[fozters]

If someone else is wondering with the same problem I had, then just to let you know that I went to the esxi route and setup a pfsense vhost which is now acting as my router/firewall/dhcp and it had all the options which I needed.

Now the asus will be given an access point assignment